News, Analysis and Perspective for Solution Providers and Technology Integrators

Security consultants and other experts tell CRN that their clients sometimes forget that compliance doesn't equal security. Merchants must abandon the PCI compliance checkbox and focus on a fully supported and sustained security program, they say.

The focus is too often on documenting systems to meet regulatory compliance mandates rather than protecting the underlying data, said Chris Camejo, director of consulting and professional services at NTT Com Security. Retailers and other merchants that accept credit cards should conduct regular testing of their security controls to evaluate whether changes to the environment open up new weaknesses that can trigger a breach.

"The best thing anyone can do to prevent breaches like this is to treat security as more than just a checkbox, instead of considering what the threats and vulnerabilities are and addressing the resulting risks regardless of compliance requirements," Camejo said.

Qualified security assessors, who certify business systems for compliance with the Payment Card Industry Data Security Standards, say the assessment is a snapshot in time. Merchants are required to maintain compliance throughout the year, said Jerry Irvine, CIO of Schaumburg, Ill.-based Prescient Solutions, an IT outsourcing firm. Vigilance is the only way to reduce the risk of a major security incident, Irvine said. Cybercriminals will probe the network for system vulnerabilities and configuration weakness, and once they gain initial access, they seek out valid account credentials, Irvine said. Once the attacker has valid credentials, they're only a few steps away from gaining access to sensitive files.

"Hackers have significantly more tools to get into the systems they want to get into than we as professionals have to protect our systems from them," Irvine said. "Even with automated intrusion prevention systems and other security appliances, suspicious activities are missed."

Target released few details regarding the cause of its data breach, which company confirmed Thursday exposed up to 40 million credit and debit cards. The retailer said it is using a third-party forensics team to investigate the extent of the breach. So far, the retailer said the scope is limited to its brick-and-mortar locations. The retailer's e-commerce website was overhauled in 2011 and uses a different payment system. Meanwhile, the initial weakness that enabled attackers to gain access was identified and fixed, the firm said in a statement released on Thursday.

The PCI Security Standards Council formally launched version 3.0 of the PCI DSS requirements, which extended compliance to service providers charged with implementing or maintaining payment systems.

A key to better protecting intellectual property and personally identifiable information may be a greater involvement from business executives in risk-based decisions, according to recent survey of nearly 750 security and risk professionals. Firms that involve senior business leaders in risk-based security programs see a reduction in the time it takes to address vulnerabilities and policy violations and ultimately a reduction in repeat audit findings, according to
Ponemon Institute's October report on "The State of Risk-Based Security Management."

Breaches come down to a fundamental immaturity in the security industry that relies too heavily on technology and too little on strategies that are practical and address the biggest risks first, said Josh Stone, director of product management at TraceSecurity, a security firm that sells an IT GRC platform.

"In many ways, organizations are trying to solve the broader issues with a single technology rather than prioritizing and addressing the most pressing needs first," Stone said. "You can segment off the payment systems from the rest of the network, but once an attacker gains access to the environment that surrounds the payment systems, they get closer to the jewels and eventually figure out a way, like they appear to have done at Target, to cross that boundary."